Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

The Linux Foundation Set to Improve Open-Source Code Security

VANCOUVER, B.C.—The Linux Foundation is set to expand its Core Infrastructure Initiative (CII) for improving open-source code security, that was initially setup in the aftermath of the OpenSSL Heartbleed vulnerability in 2014.

In a video interview at the Open Source Summit, Jim Zemlin, Executive Director of the Linux Foundation explains why the CII remains a critical effort for his organization and what is coming next to help improve open source security.

"Most security vulnerabilities are just bugs," Zemlin said.

Further reading

CII was setup in 2014 by the Linux Foundation with initial support from VMware, Rackspace, NetApp, Microsoft, Intel, IBM, Google, Fujitsu, Facebook, Dell, Amazon and Cisco. The original goal was to try and help prevent another Heartbleed attack. With Heartbleed, a critical set of flaws was discovered in the open-source OpenSSL codebase that exposed many organizations to the risk of exploitation. The Heartbleed flaw also revealed that there were a number of critical open-source efforts that were underfunded and not able to perform adequate code and security quality assurance analysis.

CII is now working on further trying to identify which projects matter to the security of the internet as a whole, rather than taking a broader approach of looking at every single open-source project, he said. In his view, by prioritizing the projects that are the most critical to the operation of the internet and modern IT infrastructure, the CII can be more effective in improving security.

"You'll see in the next three months or so, additional activity coming out of CII," Zemlin said.

Among the new activities coming from the CII, will be additional human resources as well as new funding. The Linux Foundation had raised $5.8 million from contributors to help fund CII efforts, which Zemlin said has now all been spent. Zemlin that CII's money was used to fund development work for OpenSSL, NTP (Network Time Protocol) and conducting audits.

"There will now be more resources and human capital put toward potential testing initiatives and other activities that we'll have," he said.

Overall, Zemlin said that he wants to see improved security implemented across all open-source projects, whether they are hosted by the Linux Foundation or otherwise. He said that CII will be looking at how to bring in a crowdsourced approach to improve code quality assurance.

Improving the Linux Foundation

The upcoming expanded effort from the CII is part of the larger mission of the Linux Foundation to improve all aspects of the open-source software development ecosystem.

"We want to be the best upstream from the downstream consumption of the open-source projects we host," Zemlin said.

To that end, the Linux Foundation is building systems and process that help to enable the open-source community with the lowest cost model possible.

"You'll see us in the next six to 12 months continually rolling out tools, processes and frameworks that improve our productivity and benefit our communities," Zemlin said.

Watch the full video interview with Jim Zemlin above.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.